08-15-2012 02:07 PM - edited 03-07-2019 08:21 AM
I'm running wccp between a Nexus 7K and a Bluecoat ProxySG. I've attached a Visio which shows a overview of how all the pieces fit together. I'll also describe it here:
For the purpose of discussing this issue, only two VLANs on the 7K matter. These are VLAN38, on which the firewall to the Internet is attached on the Inside and VLAN39, on which the web-cache engine (ProxySG) is attached. The relevant wccp configuration is below:
feature wccp
!
ip wccp 97 redirect-list Remote-WCCP
ip wccp 98 redirect-list FNB-WCCP
!
IP access list FNB-WCCP
10 deny ip 172.19.0.0/16 156.99.45.0/25
20 deny ip 172.19.0.0/16 156.99.46.0/25
30 deny ip 172.19.0.0/16 156.99.112.0/25
40 deny ip 172.19.0.0/16 156.99.242.208/28
50 deny ip 172.19.0.0/16 156.99.167.192/26
60 deny ip 172.19.0.0/16 156.99.8.192/28
70 deny ip 172.19.0.0/16 156.99.193.0/25
80 deny ip 172.19.0.0/16 192.168.0.0/16
90 permit tcp 172.19.30.96/32 any eq www
100 permit tcp 172.19.30.96/32 any eq 443
!
interface Vlan38
no ip redirects
ip address 172.19.38.3/24
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
ip wccp 98 redirect out
hsrp 38
authentication text deed
preempt
priority 110
ip 172.19.38.1
description IP Inside Firewall
no shutdown
!
interface Vlan39
description Bluecoat
no shutdown
no ip redirects
ip address 172.19.39.3/24
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
ip wccp redirect exclude in
hsrp 39
authentication text deed
preempt
priority 110
ip 172.19.39.1
Two other pieces of information that I think is relevant is that the ProxySG was configured to use the HSRP virtual IP address of the SVI on the Nexus and wccp is in L2 mode (not GRE).
So here's the problem. When the ProxySG receives traffic that is to be bypassed (policy NOT applied) it seems to send the traffic back to the Nexus but not via WCCP. In other words, the "Total Bypassed Packets Received" counter doesn't increment. The traffic comes back to the Nexus because the ProxySG sends the traffic on its way towards the Internet and since the Nexus is the default gateway for the ProxySG, that's where it goes. The problem is (at least this is what I think) that the Nexus then tries to send it back out. In the process it hits the wccp redirect ACL again and it goes back to the ProxySG. This loop is repeated over and over again. This is what I see when I do a packet capture on the port connected to the ProxySG. I think that I can get around this if I move the ProxySG to VLAN38 and change the default gw of the ProxySG to the firewall's address. I am wondering about this counter "Total Bypassed Packets Received". That counter seems to suggest that if the web-cache engine determines that the traffic is to bypass policy that it'd send it back to the wccp server for normal processing.
09-19-2012 08:44 AM
We ran into problems as well, but were on an unsupported NX-OS version. What version of NX-OS are you running?
Cheers,
Ben
09-19-2012 08:52 AM
6.0(2).
I opened a TAC case on this and the TAC engineer stated that I was hitting a new bug.
09-19-2012 10:32 AM
Thank you for the information. We'll keep an eye on that when we're ready to move to 6.
Cheers,
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide